[x509] Record root of trust used when validating a certificate

Record the root of trust used at the point that a certificate is validated, redefine validation as checking a certificate against a specific root of trust, and pass an explicit root of trust when creating a TLS connection. This allows a custom TLS connection to be used with a custom root of trust, without causing any validated certificates to be treated as valid for normal purposes. Signed-off-by: Michael Brown <mcb30@ipxe.org>
author: Michael Brown <mcb30@ipxe.org> 2020-12-08 14:58:46 +0000
committer: Michael Brown <mcb30@ipxe.org> 2020-12-08 15:04:28 +0000
commit: 39f5293492f351a274940d0ba2624ecb242b3c9b (patch)
tree: ead79747a5ab15d5db6dd4a236acdc9f224c7590 /src/tests/x509_test.c
parent: 6e92d6213d20329d8b84431f00d8cbe7d63bb379 (diff)
download: ipxe-39f5293492f351a274940d0ba2624ecb242b3c9b.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/tests/x509_test.c b/src/tests/x509_test.c
index 658d5247c..2915b9068 100644
--- a/src/tests/x509_test.c
+++ b/src/tests/x509_test.c
@@ -943,6 +943,10 @@ static void x509_validate_chain_okx ( struct x509_test_chain *chn, time_t time,
 	x509_invalidate_chain ( chn->chain );
 	okx ( x509_validate_chain ( chn->chain, time, store, root ) == 0,
 	      file, line );
+	okx ( x509_is_valid ( chn->certs[0]->cert, root ),
+	      file, line );
+	okx ( ! x509_is_valid ( chn->certs[0]->cert, &dummy_root ),
+	      file, line );
 }
 #define x509_validate_chain_ok( chn, time, store, root ) \
 	x509_validate_chain_okx ( chn, time, store, root, __FILE__, __LINE__ )
author	Michael Brown <mcb30@ipxe.org>	2020-12-08 14:58:46 +0000
committer	Michael Brown <mcb30@ipxe.org>	2020-12-08 15:04:28 +0000
commit	39f5293492f351a274940d0ba2624ecb242b3c9b (patch)
tree	ead79747a5ab15d5db6dd4a236acdc9f224c7590 /src/tests/x509_test.c
parent	6e92d6213d20329d8b84431f00d8cbe7d63bb379 (diff)
download	ipxe-39f5293492f351a274940d0ba2624ecb242b3c9b.tar.gz